Spectre: A Dependable Introspec3on Framework via System ...

Spectre:ADependableIntrospec3onFrameworkviaSystem

ManagementModeFengweiZhang,KevinLeach,KunSun,andAngelosStavrou.

InDSN'13.

PresentedbyFengweiZhang

WayneStateUniversity CSC6991TopicsinComputerSecurity 1

Agenda

•  Introduc3on•  Background•  SystemFramework•  ExperimentalResults•  Conclusion


Agenda



Introduc3on

•  Malwaredetec3onandanalysisremainanopenresearchproblem

•  ︎Tradi3onally,malwaredetec3onisprovidedbyinstallingan3-malwaretools(e.g.,an3-virus)withintheOS

•  ︎However,thesedetec3ontoolsarevulnerabletomalwarerunningatthesamelevel(e.g.,rootkits)

•  ︎’Out-of-box’introspec3onmechanismproposedformalwaredetec3onandanalysis(e.g.,Virtualmachineintrospec3on)


Introduc3on•  VirtualMachineIntropsec3on(VMI)systemsrunmalwarewithina

VManduseanalysistooltointrospectthemalwarefromoutside•  ︎VMIsystemshavebeenwidelyadoptedformalwaredetec3onand

analysis.Theyisolatethemalwaredetec3onso]warefromavulnerableguest[4,5,6]

•  Limita3onsofVMIsystems:–  LargeTrustedCompu3ngBase(TCB)(e.g.,Xen4.2has208Klinesof

code)–  ArmoredmalwarecandetectthepresenceofaVMandalteritsown

execu3on(e.g.,an3-VMtechniques)–  Highperformanceoverhead

•  WepresentSpectre,adependableintrospec3onframeworkviasystemmanagementmode


Agenda



BackgroundSystemManagementMode(SMM)•  ACPUmodeonthex86Architecture.•  A]erenteringintoSMM,itexecutestheSystemManagement

Interrupt(SMI)handler•  SMIhandlerstoresatasealedstoragecalledSystemManagement

RAM(SMRAM)•  BIOSlockstheSMRAM,andtheSMRAMisinaccessiblefromany

otherCPUmodes•  SMM-basedsystems

–  Integritychecking:HyperGuard[7],HyperCheck[8],–  HyperSentry[1]–  SMMrootkits[3,2]–  AgacksagainstSMM[9]


Background

BasicInputandOutputSystem(BIOS)andCoreboot•  BIOScodeisstoredon-vola3leROM,anditisresponsibleforhardwareini3aliza3onbeforeOSstarts.

•  CorebootisanopensourceprojectaimedtoreplacetheBIOSincurrentcomputer

•  SpectreusesacustomSMIhandlerinCoreboot


Agenda



SystemFramework

Target Machine

SPECTRE system regularly introspects native memory on target machine

Monitor

Machine

Enter

SMM

Rebuild

semantic

data

Check kernel code

Check kernel data

Check program data

optional custom module ...

Report alerts

select module

‘heartbeat’

attack occured?


SystemFramework

•  Step1:PeriodictriggeringofSMM

Target Machine


Monitor

Machine

Enter

SMM


SystemFramework

•  Step1:PeriodictriggeringofSMM•  Step2:Rebuildingseman3cinforma3on

Target Machine


Monitor

Machine

Enter

SMM

Rebuild

semantic

data


SystemFramework

•  Step1:PeriodictriggeringofSMM•  Step2:Rebuildingseman3cinforma3on•  Step3:Runningadetec3onmodule

Target Machine


Monitor

Machine

Enter

SMM

Rebuild

semantic

data

Check kernel code

Check kernel data

Check program data


select module


SystemFramework

•  Step1:PeriodictriggeringofSMM•  Step2:Rebuildingseman3cinforma3on•  Step3:Runningadetec3onmodule•  Step4:Communica3onwithmonitorserver

Target Machine


Monitor

Machine

Enter

SMM

Rebuild

semantic

data

Check kernel code

Check kernel data

Check program data


Report alerts

select module

‘heartbeat’

attack occured?


Step1:PeriodicTriggeringofSMM

•  TwowaystotriggeranSMI– So]ware-based:writetoanACPIportspecifiedbychipsets

– Hardware-based:NICcard,keyboard,mouse,andhardware3mer

•  Hardware-basedmethodismorereliablethanso]ware-basedmethod,soweuseahardware3meratsouthbridgetoperiodicallyassertanSMI


Step2:RebuildingSeman3cInforma3on

•  SMMonlyseestherawmemory,anddoesnotknowtheseman3csofthememory(e.g.OSdatastructures)

•  Similartotheseman3cgapprobleminVMIsystems•  Wemanuallybridgetheseman3cgapinourprototype,automa3cally

bridging(e.g.,Virtuoso[6],VMST[4])

PEB

Executive Process

Heap List

Process Environment Block

Heap H0

Heap H1

Heap H2

Heap H3

Heap H4

...Heap Hn

Heap List

Heap H0 Metadata

Segment S0

Segment S1

Segment S2

...Segment Sn

Heap

Segment

Segment S0

Metadata...FirstEntryLastEntry

Entry E1

Entry E2

Entry E3

Entry ...

Entry En

Data...

Data...

Data...

Static VA of KPCR

0xffdff000 KPCR KdVersionBlock+34h

PsActiveProcessHead

prev

next+78h

Executive Processe.g., “System”

prev

next

Executive Processe.g., “explorer.exe”

prev

next

Executive Processe.g., “lsass.exe”

prev

next

Handle Table 1Handle Table 2Handle Table 3

Other

Executive

Processes

Other heap

tables

...

...


Seman3cGapProbleminVMI

•  SoK:Introspec3onsonTrustandtheSeman3cGap.BhushanJain,MirzaBasimBaig,DongliZhang,DonaldE.Porter,andRaduSion.InS&P'14.

•  SMM-basedSystems,TrustZone-basedSystems,SGX,otherhardwareisolatedexecu3onenvironments(HIEEs)


Step3:RunningaDetec3onModule

•  Wedemonstratethecapabilityofourframeworkwiththreememory-basedagacks:– Detec3ngheapsprayagacks– Detec3ngheapoverflowagacks– Detec3ngrootkits

•  OthercheckingmodulescanbeextendedintoSpectrewithcorrespondingdetec3onalgorithm


Step4:Communica3onwithMonitorMachine

•  TheSMIhandleralertsthemonitormachineoveraserialorEthernetcable

•  WeporttheNICdriverintoSMIhandlerbecausewedowanttotrustanycodeintheOS

•  ‘Heartbeat’messagecanbeusedtodetectdenialofserviceagack

•  ExitfromSMMandresumeOSstates


Agenda



PrototypeSpecifica3on

•  ︎Hardware– Motherboard:ASUS-M2VMXSE– CPU:2.2GHzAMDSempronLE-1250– RAM:2GBKingstonDDR2– NICs:IntegratedNICandIntele1000GigabitwithPCI

•  ︎So]ware– BIOS:Coreboot+SeaBIOS– OSes:Linux(CentOS5.5)andWindowsXPSP3


MemoryAgacksDetec3on•  Runvariousmemoryagacks,andmeasurethedetec3on3me

intheSMM•  Detec3on3me=TimeatSMMexit-TimeatSMMenter


SystemOverhead•  SpectreisOS-agnos3c,andcandetectmemoryagacksonbothWindowsandLinuxplaqorms.

•  Benchmark:PassMarkonWindowsandUnixBenchonLinux

•  First,werundifferentdetec3onmodules,andrecordtheirbenchmarkscores– Withoutdetec3onmodule

–  Heapspraydetec3onmodule–  HeapOverflowdetec3onmodule–  Rootkitsdetec3onmodule

•  Second,wechangetheSMItriggeringrate,anditrangesfrom1/16sto5s


SystemOverhead

•  X-coordinate:Samplinginterval︎•  Y-coordinate:Percentoverhead

WindowsLinux

5s 2s 1s 12 s

116 s

0%

10%

20%

Sampling interval / s

Perc

ento

verh

ead

Without detection moduleHeap spray moduleHeap overflow moduleRootkit module

5s 2s 1s 12 s

116 s

0%

5%

10%

15%

20%

Sampling interval / s

Perc

ento

verh

ead

Without detection moduleHeap spray detection moduleRootkit detection module


ComparisonwithVMISystems•  Smallercodebase–SpectreonlytrusttheBIOS,butVMI

systemsneedtotrusthypervisor•  Moretransparent–armoredmalwarewithan3-VMtechniques

cannotdetectit•  BegerPerformance


Agenda



Conclusion

•  ︎Weintroduceahardware-assistedframeworkthatcanexaminecodeacrossalllayersofarunningsystem

•  SpectreisOS-agnos3candfullytransparenttohigherlevelso]ware

•  WehaveimplementedaprototypeofourframeworkinbothLinuxandWindows,anddemonstratesthatoursystemcandetectvariousmemoryagacksincludingheapspray,heapoverflowandrootkits.


References


Spectre: A Dependable Introspec3on Framework via System ...

Documents

Transcript of Spectre: A Dependable Introspec3on Framework via System ...